Too late to upgrade election defenses?

UPCOMING ELECTIONS INCREASINGLY IN TROUBLE — Pressure is building on House and Senate lawmakers to pass some kind of legislation to secure U.S. election systems before voters go to the polls next year. But it may already be too late for some key targets, Martin reports, given that U.S. officials have said Russian hackers were already in the Democratic National Committee networks for at least three months by this point in the 2016 election cycle. Members of both parties insist they can get something done before Election Day 2018, but also admit that the window is rapidly closing. Voters will cast their ballots in the country’s first primaries in just over three months — a narrow timeline to implement any number of reforms, like swapping out aging voting machines and making software fixes that can help fend off cyberattacks like the kind roiled the 2016 presidential election. “Not a lot of time, no question,” said Senate Intelligence Chairman Richard Burr.

Story Continued Below

Cybersecurity experts have been ringing the alarm for years that America’s election system is a sitting duck for hackers looking to cause chaos. Voter rolls have regularly been been stored on poorly protected networks, and the country has long relied on outdated electronic voting machines. At the state and local level, governments can often lack the funds to hire cyber professionals or properly train staff. Yet Capitol Hill has not passed any legislation that specifically tackles the issue. “I’m concerned that there’s not enough urgency broadly to move legislation forward,” said Sen. Martin Heinrich, who is co-sponsoring a bill that would speed through security clearances for top election officials, giving them access to classified information on hacking threats. “But we’re going to keep pushing, because I think these problems are not going away.”

“It’s high-time we got started, and it will be too late soon if there isn’t action,” said J. Alex Halderman, a University of Michigan computer scientist and a leading expert on digitally securing elections. Congress is a “critical missing piece” in terms of leadership and allocating resources, said Lawrence Norden, the deputy director of the Democracy Program at the Brennan Center for Justice at the New York University School of Law, who co-wrote a recent paper on digitally securing elections. Even if a consensus bill emerged on Capitol Hill, some lawmakers expressed reservations that GOP leadership would let it get a floor vote. But members on both sides of the aisle — and in the normally pessimistic cybersecurity community — remain cautiously hopeful. “I don’t want to sound too pollyannaish or optimistic but I haven’t given up on the fact something significant could happen from this Congress in time to have an impact on 2018 and certainly 2020,” Norden said. “If something does happen … then I think that they will be blamed. No question.”

YES, KASPERSKY IS BANNED, BUT… — The Department of Homeland Security ban on Russia-based Kaspersky Lab software in federal agencies has a big hole, cyber experts warn: It doesn’t apply to contractors’ own networks. “It’s a huge area of risk, especially with some of the recent breaches at the NSA and the CIA where it was clear that these contractors were the source of it,” said Trevor Rudolph, the former head of an Office of Management and Budget team that helps agencies improve their cyber defenses, now a cyber policy fellow at New America.

Under the order, the ban doesn’t cover contractors’ private networks. There may be a good reason, though — DHS doesn’t have the legal authority to dictate that, contractors and former government officials said. Read the full story from Eric here.

WOMEN RULE WEEK! POLITICO is partnering with women-led businesses in the DC-metro area to offer a full week of exclusive perks in conjunction with the 5th annual Women Rule Summit! Join the fun at participating businesses during Women Rule Week (Nov. 27 – Dec. 1) for exclusive deals and tweet 5x using #WomenRule for a chance to win two free tickets to the Summit on Dec. 5!

UBER UNDER INVESTIGATION— At least five state attorneys general — in Connecticut, Illinois, New York, Massachusetts and Missouri — have opened inquires into Uber’s cover-up of last year’s data breach that affected an estimated 57 million users of the ride-hailing service. The U.K.’s data privacy watchdog launched an investigation into Uber concealing the breach, too, while European Union privacy regulators could start a task force.

And a number of members of Congress are calling for action. “The unending barrage of breaches shows that the current system is not working for consumers,” said Rep. Frank Pallone, the top Democrat on the House Energy and Commerce panel. “The Federal Trade Commission must immediately begin an investigation into both the breach itself and the company’s outrageous delay in disclosing the breach.” Sen. Richard Blumenthal also called for an FTC investigation and congressional hearing. And Rep. Dan Lipinski said the Uber breach reveals the need for federal data breach notification legislation that spells out punishments for companies that delay disclosure.

WHITHER JARED?— President Donald Trump adviser and son-in-law Jared Kushner’s portfolio and profile is shrinking, The New York Times reported over the weekend. But that offers a mixed bag for his initiative to modernize aging federal computer systems via the Office of American Innovation. On the plus side, the Modernizing Government Technology Act (H.R. 2227), a bill his office helped shape to fund government-wide tech upgrade, is on the verge of becoming law. And the White House spin is that the departure of Reince Priebus and Steve Bannon — frequent sparring partners for Kushner — has allowed him to focus on behind-the-scenes nitty gritty.

On the other hand, “Kushner’s push for technological advances is hobbled by a lack of permanent officials to carry out policy changes at the agency level,” most notably chief information officers across the federal government. POLITICO Pro Cybersecurity readers got that warning from Eric’s story on the Office of American Innovation in May, which noted that without feedback from career civil servants, Kushner’s federal IT modernization initiative could stumble.

JOCKEYING ON HOUSE JUDICIARY — Rep. John Conyers’ announcement that he would step down from his post as the top Democrat on the Judiciary Committee amid accusations of sexual harassment could have major ramifications for the nation’s spying programs, including Section 702 of the Foreign Intelligence Surveillance Act. Second-ranking Democrat Rep. Jerry Nadler and Rep. Zoe Lofgren, another senior member on the panel, have been privately jockeying to succeed Conyers as ranking member for years, assuming he would step down after 2018.

If Lofgren assumed the post, it would put a strident privacy hawk atop the committee as lawmakers look to renew the hotly-debated online snooping programs. The California Democrat, along with libertarian-minded lawmakers, tried for years to restrain the 702 statute efforts through the appropriations process, a fight that has continued into this year.

Democratic Caucus rules dictate the next most senior Democrat, in this case Nadler, automatically assumes the post if a ranking member or chairman is indicted, but they’re less clear on what happens in an instance like this. There is no precedent for a contest to replace a ranking member who steps aside midterm. “This is no coronation. Zoe is definitely in the mix,” a Democratic aide close to Lofgren’s office told POLITICO.

SERIOUSLY? — Suspected Russian hackers targeted the personal email accounts of hundreds of current and former American officials, but the FBI has so far notified only a small fraction of those targets, according to the Associated Press. In interviews with the AP, many of the targets said they first learned that they were on the Kremlin’s list when the publication reached out to them. A senior FBI official told the AP that the bureau was “overwhelmed” by how many people they had to notify. “It’s a matter of triaging to the best of our ability the volume of the targets who are out there,” the official said. The AP used information from the cybersecurity firm SecureWorks to trace Russia’s attempts to breach the Gmail accounts, finding more than 500 Americans and U.S. organizations on the target list. The publication interviewed almost 80 targets.

Many of Russia’s targets have been out of government service for years, but the AP said that one quarter of them either were still serving or still held security clearances. Only two people said that the FBI had notified them. Several others heard from the FBI after first seeing their emails leaked. “You’ve got to tell your people,” Philip Reiner, a former National Security Council staffer, told the AP. “You’ve got to protect your people.”

ERMAHGERD, IMGUR — Unknown hackers breached image-hosting service Imgur and compromised the email addresses and passwords of 1.7 million users in 2014, the company announced late last week. “We are still investigating how the account information was compromised,” the company said in a statement. “We have always encrypted your password in our database, but it may have been cracked with brute force due to an older hashing algorithm … that was used at the time.” Imgur said it updated to a newer algorithm last year. The company first learned of the breach on Nov. 23, when data breach expert Troy Hunt told the firm that he had received allegedly hacked user data.

“I disclosed this incident to Imgur late in the day in the midst of the U.S. Thanksgiving holidays,” Hunt told ZDNet. “That they could pick this up immediately, protect impacted accounts, notify individuals and prepare public statements in less than 24 hours is absolutely exemplary.” Imgur said that because it never asked for users’ real names, addresses or phone numbers, there was none of that data in the breached material. The company also said it was “still actively investigating the intrusion.”

RECENTLY ON PRO CYBERSECURITY— An appeals court reacted skeptically to a privacy-oriented lawsuit against Trump’s voter fraud commission brought by the Electronic Privacy Information Center. … “Facebook announced today it will unveil a tool by year’s end allowing users to learn of any Facebook or Instagram contact they may have had with Russian internet trolls leading up to and following the 2016 U.S. election.” … Trump and congressional leaders are meeting this week to discuss how to avoid a government shutdown. … Federal Communications Commission Chairman unveiled his plan to end net neutrality regulations.

TWEET OF THE DAY — At some point we’ll really have to answer this question.

QUICK BYTES

— “A Canadian accused by the United States of helping Russian intelligence agents break into email accounts as part of a massive 2014 breach of Yahoo accounts is expected to plead guilty.” Reuters.

— Google has run ads for illegal phone spyware that helps people snoop on their spouses. The Daily Beat.

— The Air Force is wrapping up a study about how to integrate air, space and cyber. C4ISRNET.

About The Author

Tim Starks has written about cybersecurity since 2003, when he began at Congressional Quarterly as a homeland security reporter. While at CQ Roll Call, he mainly covered intelligence, but he also had stretches as a foreign policy reporter and defense reporter. In 2009, he won the National Press Club's Sandy Hume Memorial Award for Excellence in Political Journalism.

He left CQ Roll Call in March of 2015. Before coming to Politico he spent several months freelancing, writing for the Economist, the New Republic, Foreign Policy, Vice, Bloomberg and the Guardian.

He grew up in Evansville, Ind. and graduated from the University of Southern Indiana with a degree in print journalism. His first full-time reporting job was covering city hall for the Evansville Press, the former afternoon daily. He was a Pulliam Fellow at the Indianapolis Star, and participated in the Politics and Journalism Semester at the chain of newspapers anchored by the Las Vegas Review-Journal. He also was the Statehouse Bureau Chief at the Evansville Courier & Press and established the Washington bureau of the New York Sun. Some of his other freelance work has been for the Chicago Tribune, Glamour, Deutsche Welle, Ring and BookForum.

He is the founder of The Queensberry Rules, dubbed an "indispensable boxing blog" by the Wall Street Journal. He's also fond of fantasy basketball and real-life basketball — he is from Indiana, after all — and gets way too bent out of shape over people rooting against the home team or not walking on the right side of the sidewalk.